This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner.

Similar presentations

Presentation on theme: "This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner."— Presentation transcript:

6
Except Both hub and spoke, as well as, network of peers faced challenges scaling. -Some of these issues were technical. -Some of these issues were value-related. Communities of interest formed to address both challenges.

7
Today's World

8
Enterprise federation today Majority of enterprises do not participate in federations per se. However, enterprises do use federation technologies to connect to externally-provided services. Federation found its enterprise stride via SaaS adoption.

9
Status Quo

10
Welcome SaaS and Its Friends

11
Big shiny object!

12
Federation = Way to attach SaaS to the enterprise = SSO

13
Joining a Federation (The Short Version)

14
Sign business agreement

15
Except The business isn’t involved. Lawyers are involved. -Appropriate use of attributes and other information is a legal agreement. Business expectations are assumed to be met but inherent value of the service.

16
Determine RP’s needs

17
Except This isn’t a dialogue. “Provide the following attributes.” But what about entitlements? But what about authorization policies?

24
Telekinesis Want to effect the authorizations in a remote system Provisioning local objects to effect remote authorization state But this is a hoax -Provision remote objects too

25
Spray old data everywhere Lots of attributes being pushed But now with less visibility! -RPs don’t know the quality of the data -RPs don’t know the data’s “Sell By” date -Information sources don’t always know where the data went

41
Except All of these approaches only solve a portion of the problem: -Administrative authorization -SSO What happens with attributes and entitlements that get pushed to the federation partner/service? The enterprise fixation with federated authentication is blinding it from the larger issues – federated authorization 40

42
Administrative & runtime authorization

43
Two Kinds of Authorization Policies

44
Administrative Policies Sets up attributes and entitlements needed to enable access Ahead of their use

54
Each type of policy is maintained by separate teams with separate change management processes Neither kind of policy is aware of the other The teams maintained these policies are usually disconnected as well A Part and Yet Apart

55
To completely answer who can do what, both administrative and runtime environments must be examined Lack of awareness and linkage of both environments prevents complete answers Disconnected policies inhibit traceability We do not know if we are faithfully fulfilling business controls The Problem

56
Things don’t get better in a federated scenario

57
Brain surgery with Buckaroo Banzai 56 No, no! Don’t tug on that. You never know what it is attached to.

58
Manipulating attributes has unknown and unknowable consequences

59
Things don’t get better in a federated scenario Policy coherence is harder to achieve -Administrative policies are typically tribal in nature -Runtime policies are tribal in nature… and maintained by a different tribe! -Examining both sets of policies together is nearly impossible Federated SSO is not hard to establish -What happens after sign-on is crucial… and it is often well out of sight of the IdP 58

60
Looking into the near future

61
New developments in federated provisioning

62
Cloud HR Is the Lifecycle Feed

63
Cloud Directory Is the New Lifecycle Feed

64
Token Flipper Is the New Lifecycle Feed

65
Token Flipper Is the New Connector

66
Multi-Protocol JIT

67
But all of these solutions 66

68
will eventually fail.

69
Federation = Way to attach SaaS to the enterprise = SSO

70
Enterprise fixation with federated authentication is blinding it from the larger issue.

71
Federated Authorization

72
Shared Problems

73
Problems with our administrative tools Traditional on-premise administrative IAM tools are push-oriented. -These tools are “copy” not “reference” in nature. Policies should be provisioned, not attributed -Attributes should be referenced not copied. Authorization policies are increasingly split between administrative and run-time environments.

74
Problems with our runtime tools Runtime authorization environments often have opaque policies. -Hard to execute compliance-related activities. Attribute and entitlement meaning is inferred and codified in varying ways. What is acceptable use doesn’t always make it into the authorization policies. 73

75
Problems with federated services There are inconsistent ways of discovering entitlements -And on-premise tools (especially IAG) don’t know to deal with that Authorization policies is: -Sometimes managed by the enterprise -Sometimes by the RP -Sometimes both -And not rationalized against administrative policies 74

76
The problems beneath the problems Our models are insufficient -IAM tools do not model relationships well. -IAM tools do not model context well. Authorization is a problem of relationship and context. -Federated authorization is more so We push attributes instead of pull them. We lack mechanisms to share, distributed, and link authorization policy. 75

80
What we must do: Hasten evolution The industry needs to move from pushing attributes to pushing authorization policies. Relationships and context must become first- class citizens in the IAM world and its tools. The enterprise notion of federation as glorified SSO must evolve. 79